Microsoft Adds Attack-Detection Capability to Exchange Online

Businesses can now use session ID information in their Exchange Online audit logs, giving them another tool to detect untoward activities.

Microsoft green-lit the new ability on Friday, according to this announcement. Tapping the session ID information permits the logging of all Exchange Online activities, even when an attacker has used the same IP address as a particular end user for an attack. IT pros can see the activities of an attacker even when IP addresses get obscured by the use of third-party virtual private networks (VPNs) or Tor networks, or even when an organization's own VPN has been compromised, Microsoft's announcement explained. Attacker actions get traced via the session ID, on top of the IP address.

Audit log information for Exchange Online, including session ID info, can be found in Microsoft's Security and Compliance Center and Microsoft Cloud App Security products. However, the information also is available for use with other non-Microsoft security information and event management products, according to Microsoft.

Auditing was turned on by default for Exchange Online users starting this year, according to the announcement. However, IT pros should check to make sure that it really is turned on. Here's how Microsoft expressed that idea:

To get the full range of audit data in Exchange, you need to make sure mailbox auditing is turned on. Starting from the 2019 calendar year, auditing will be enabled by default but you should check if your organization has auditing enabled from this blogpost.

Microsoft first said it would turn on Exchange Online auditing by default back in July, according to the "blogpost" referenced above. However, it seems that some Office 365 tenancies may be just starting to get it this year.

The session ID information pushed into the Exchange Online audit logs actually comes from Azure Active Directory tokens, so organizations will need to be using that identity and access management service to leverage the session ID information. Furthermore, organizations need to have so-called "modern authentication" in place. Modern authentication is Microsoft's phrase for the use of Active Directory Authentication Library and OAuth 2.0 technologies.

The use of modern authentication further requires blocking Microsoft's "legacy" or older authentication schemes that are associated with Exchange Online clients older than Outlook 2013. Microsoft also refers to these legacy authentication methods as "basic authentication." Basic authentication doesn't permit improved schemes like multifactor authentication, where a secondary means of verifying the user's identity is required, typically via a phone call or messaging service.

Microsoft also really wants organizations using Exchange Online to block legacy or basic authentication. Here's how the announcement expressed that point:

The benefits of blocking basic authentication cannot be overstated; they enable a host of protection capabilities. You can find more information about how to block legacy authentication and the benefits in this blogpost.

In October, Microsoft had announced a preview of a new capability that permits IT pros to disable basic authentication across an Exchange Online tenancy using authentication policies. According to the Microsoft 365 roadmap page, that capability got launched in the third quarter of 2018. Modern authentication needs to be enabled first before disabling basic authentication, Microsoft's documentation explained.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Microsoft Vows To Ease European Cloud Infrastructure Burden

    Microsoft announced new revamps to its Microsoft Cloud Solution Provider partner program to pacify European regulators.

  • Citrix HDX Option Coming to Windows 365 Subscribers

    Citrix's "high-definition user experience" (HDX) technologies will be available as an option for Windows 365 desktop-as-a-service users, according to a joint announcement by Microsoft and Citrix.

  • Ransomware Report: Don't Pay the Attackers

    According to a recent report, paying the ransom for an organization's hijacked data doesn't ensure return of the stolen data.

  • Veeam Adding Intelligence to Microsoft 365 Backup Solution

    Backup and recovery giant and major Microsoft partner Veeam unveiled a raft of new features to its solution portfolio at its VeeamON conference this week.